From owner-freebsd-security  Fri Aug 10  9:27: 6 2001
Delivered-To: freebsd-security@freebsd.org
Received: from red.whoowl.com (dsl-65-184-21-205.telocity.com [65.184.21.205])
	by hub.freebsd.org (Postfix) with SMTP id BFA1E37B409
	for <freebsd-security@FreeBSD.ORG>; Fri, 10 Aug 2001 09:27:01 -0700 (PDT)
	(envelope-from jvb@whoowl.com)
Received: (qmail 18647 invoked by uid 85); 10 Aug 2001 16:27:06 -0000
Received: from jvb@whoowl.com by red.whoowl.com with qmail-scanner-0.96 (hbedv: 6.8.0.0. . Clean. Processed in 1.905195 secs); 10 Aug 2001 16:27:06 -0000
X-Qmail-Scanner-Mail-From: jvb@whoowl.com via red.whoowl.com
X-Qmail-Scanner-Rcpt-To: freebsd-security@FreeBSD.ORG
X-Qmail-Scanner: 0.96 (No viruses found. Processed in 1.905195 secs)
Received: from unknown (HELO black) (192.168.0.107)
  by dsl-65-184-21-205.telocity.com with SMTP; 10 Aug 2001 16:27:02 -0000
Message-ID: <010c01c121b9$461f3040$6b00a8c0@vanbo.whoowl.com>
From: "John Van Boxtel" <jvb@whoowl.com>
Cc: <freebsd-security@FreeBSD.ORG>
References: <Pine.BSF.4.21.0108101222250.54541-100000@lhotse.zaraska.dhs.org>
Subject: Re: distributed natd
Date: Fri, 10 Aug 2001 09:26:56 -0700
Organization: Whoowl.com
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> Next, I don't know whether they should communicate over TCP or UDP. I
> would use UDP since it might be faster and it allows broadcasts (one
> firewall broadcasting changes to all others on the secure network) but is
> unreliable. A persistent TCP connection may be also considered.

The persistent TCP connection could be used well as if the connection
dropped this could signal that the other gateway is down for whatever
reason.  This would not be useful for telling if that gateway no longer has
an upstream connection but it would definitely let you know that the gateway
is no longer availible (ie power lost, hardware failuer, etc)

> It is however not clean to me how and how often you want to check if
> firewall is alive.

See above, this would instantly, let you know it's gone, but it would only
tell you that the gateway is dead not when the gateway is up but its
upstream is down.

Interesting stuff :-)

JVB



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message